On Monday, November 15, 2021, President Zuzana Čaputová signed a new law related to stricter anti-pandemic measures. This is Act No. 412/2021 Coll., amending and supplementing certain acts in connection with the third wave of the COVID-19 pandemic. In this article, you will learn what specific measures have been approved and what obligations apply to employers under the new law and the GDPR.
New measures
Measures that came into force with the signing of Act No. 412/2021 amend the Act on Offences, specifically in the area of offences in the field of healthcare. This takes into account the current situation regarding insults to healthcare workers and the falsification of documents related to COVID-19 (fake COVID passes and tests). Under the new rules, fines will be imposed for such acts. The changes also affect the area of pandemic sick leave and threats to healthcare.
However, the most anticipated changes concern employees. The new measures amend the Labor Code in relation to the employer's obligation to check employees when they enter the workplace. This is a temporary condition for entry to the workplace with the relevant document, if so stipulated by measures ordered by the competent public health authority issued on the basis of a special regulation. In practice, this means that employees will have to present proof of vaccination against COVID-19, proof of recovery from COVID-19, proof of a negative COVID-19 test result, or proof of having undergone a COVID-19 test at the employer's premises upon entering the workplace. The confirmation presented by the employee upon entry must be valid in accordance with the prescribed measure (the public health authority will prescribe the measure based on a decision of the Slovak government). If an employee fails to present the relevant document, the employer may refuse them entry to the workplace.
These measures are subject to specific regulations issued by the public health authority, but Act No. 412/2021 allows temporary restrictions on entry to the workplace even if no specific regulations have been issued. However, such a procedure must be necessary for the purposes of ensuring health protection at work. In such a case, however, this does not constitute an obstacle to work on the part of the employee.
Tests, COVID passes, and confirmation of recovery from the disease – is the processing of such personal data in accordance with the GDPR?
We do not currently have the latest version of the decree regulating employee access to the workplace, and therefore the new measures defined by Act No. 412/2021 are still awaiting implementation. As mentioned above, the law allows access to the workplace to be restricted even without a specific regulation. If the controller decides to make the entry of employees to the workplace conditional, it must proceed in a legitimate manner, i.e. by only inspecting the relevant documents. The controller must also undertake not to store or further process the personal data provided in any way.
The legal basis for such processing would be Article 6(1)(d) of the GDPR, where processing is necessary to protect the vital interests of the data subject or another natural person. This legal basis relating to the protection of life and health is applicable only for as long as no specific regulation imposing temporary restrictions on access to the workplace is issued by the public health authority. From the moment the regulation is issued and enters into force, the legal basis for the processing will be Article 6(1)(c), where processing is necessary for compliance with a legal obligation to which the controller is subject.
The scope of personal data provided by persons upon entering the premises in the form of access by an authorized person to the relevant document is as follows:
- in the case of proof of a negative test result: first name, last name, date of birth, and test result;
- in the case of proof of vaccination against COVID-19: first name, last name, date of birth, type of vaccine. Note: For vaccinated persons, it is possible to scan the QR code with a company mobile phone with a QR code reader that does not record personal data. The operator will only see that the QR code is valid and the employee will be allowed to start work.
- in the case of proof of recovery from the disease: first name, last name, date of birth, and test result.
In addition to standard personal data, these documents also contain personal data belonging to a special category of personal data – data relating to the health of the data subject (recovery from illness, type of vaccine, test result). Such data may only be processed if one of the exceptions listed in Article 9(2) of the GDPR applies. In this case, we consider the exception under Article 9(2)(i) of the GDPR to be justified, where processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high levels of quality and safety of healthcare and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy. The application of the relevant exemption is also justified with reference to Articles 52 to 54 of the GDPR. These processing principles apply in all circumstances.
It is also very important that the employer takes all necessary technical and organizational measures to ensure the protection of the personal data obtained and processes it in accordance with the GDPR and Act No. 18/2018 Coll. in cases where this Act applies.
Technical and organizational measures ensuring the protection of personal data:
- transparency – the employer, within the meaning of Article 13 of the GDPR, shall inform the data subjects in detail about the manner in which they handle personal data, e.g. through an information obligation;
- personal data shall only be processed in the form of preview;
- personal data may not be recorded in any way;
- as part of the personal data protection management system, the employer must have a detailed procedure in place for the processing of personal data (methodological guideline);
- the employer must ensure that persons authorized to access the relevant documents (test confirmation, proof of recovery from COVID-19, confirmation of full vaccination against COVID-19) are properly instructed and that such instruction is documented;
- authorized persons must be bound by confidentiality regarding the personal data obtained;
- the principle of minimization must be observed both in terms of the scope of personal data processed and the number of authorized persons.
We will inform you of any changes and updates in a timely manner.
Sources:
https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2021/412/20211115
